Security holes in PHP

What is your most annoying vulnerability in PHP?

Comments

[Jitendra]

WordPress 😛

[Alex Siman]

Despite all its vulnerabilities, WordPress's still the most popular web platform :)

[dewbiez]

WordPress has definitely make its history. And it's not terrible. But you shouldn't solely base it on popularity.

Just because there is a super popular person in school, doesn't make them a better person.

[Sergey Kislyakov]

AFAIK Wordpress without a lot of plugins isn't that bad in terms of security.

[bluebird]

race conditions.Also in many languages.:(

[Vlastimil Pospichal]

Some example? I have no problem with this.

[bluebird]

CVE-2017-16871 In fact, it is not common in php (golang is more). It is hard exploit and hard to find, but I can't ignore it, which leads me to check code like multi-step sql operation frequently.

[bluebird]

I tried a stupid sql operation to add user data (such as gold coins), and then add the number of user operations in the database.Sorry,not my open source code。

[Vlastimil Pospichal]

Use complex SQL or transaction.

[bluebird]

Yes. So I was stupid at the time.But sometimes I can't use sql ransaction. Because maybe I are calling an external api or other operation.

[Vlastimil Pospichal]

This is not vulnerability PHP. This is bad manipulation with database.

[bluebird]

sorry,I may understand the wrong title.But if you only say php specific vulnerabilities,Should only be file include bug and some php Internal implementation vulnerability.

[Boris Jamot ✊ /]

Bad developers.

[Alex Siman]

Yeah, I have noticed that PHP attracts a lot of newbies because of its simplicity to kickstart a web development. Especially that was a case somewhere around 2006 to 2010 in the era of LAMP stacks.